libcurl3-gnutls in trusty fails to verify certificates when certificate chain is out-of-order
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curl (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
libcurl3-gnutls 7.35.0-1ubuntu2.17 fails to verify remote certificate if the certificate chain provided is out-of-order. This is caused by libgnutls-dev package dependency, since libgnutls26 package is apparently long known to have this issue: https:/
This bug can be observed with git, which depends on libcurl3-gnutls:
git clone https:/
Cloning into 'libmicrohttpd'...
fatal: unable to access 'https:/
libgnutls28 package fixes this issue, since out-of-order certificate chains are allowed in that package. I am not very familiar with debian packaging process, so I was wondering if it is possible at all to bump dependency of libcurl3-gnutls from libgnutls-dev -> libgnutls28-dev for trusty.
libgnutls28-dev conflicts with libgnutls-dev. At first sight, one of dependencies of libcurl3-
Given above bug filed against gnutls26 is still open after 4 years, I thought it might be easier to solve it on libcurl dependencies. (Is it?)
Thanks.
Status changed to 'Confirmed' because the bug affects multiple users.